From owner-freebsd-questions@FreeBSD.ORG Thu Aug 2 05:26:04 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFDC816A419 for ; Thu, 2 Aug 2007 05:26:04 +0000 (UTC) (envelope-from mats@c83-250-138-187.bredband.comhem.se) Received: from ch-smtp01.sth.basefarm.net (ch-smtp01.sth.basefarm.net [80.76.149.212]) by mx1.freebsd.org (Postfix) with ESMTP id 5EED613C457 for ; Thu, 2 Aug 2007 05:26:04 +0000 (UTC) (envelope-from mats@c83-250-138-187.bredband.comhem.se) Received: from [83.251.118.254] (port=59465 helo=cyborg.valhall) by ch-smtp01.sth.basefarm.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.66) (envelope-from ) id 1IGSxK-00012h-4Y for freebsd-questions@freebsd.org; Thu, 02 Aug 2007 07:10:38 +0200 Received: from cyborg.valhall (localhost [127.0.0.1]) by cyborg.valhall (8.13.8/8.13.3) with ESMTP id l7259o8u001015 for ; Thu, 2 Aug 2007 07:09:50 +0200 (CEST) Received: (from mats@localhost) by cyborg.valhall (8.13.8/8.13.8/Submit) id l7259ocl001014 for freebsd-questions@freebsd.org; Thu, 2 Aug 2007 07:09:50 +0200 (CEST) (envelope-from mats) Date: Thu, 2 Aug 2007 07:09:50 +0200 From: z999 To: freebsd-questions@freebsd.org Message-ID: <20070802050950.GA865@cyborg.c83-250-138-187.bredband.comhem.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i X-Originating-IP: 83.251.118.254 X-Scan-Result: No virus found in message 1IGSxK-00012h-4Y. X-Scan-Signature: ch-smtp01.sth.basefarm.net 1IGSxK-00012h-4Y cbb504585442c63e78bafd235189996d Subject: Firewall question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 05:26:04 -0000 Hi What I want to accomplish is a DMZ on the third ethernet on my soekrisbox. I have done this before with OpenBSD and PF but now I want to do it with FreeBSD and ipfw. My isp uses dhcp but they don't change my ip so very often (almost never) so you can see it like I have a static ip. First the ipnumbers on the three cards in the box. sis0 have 83.x.x.x sis1 have 192.168.0.1 , and this is the lan. sis2 have 10.0.0.1 , and this is meant to be a dmz. Another box with ip 10.0.0.2 is connected to sis2 and is configured as a webserver. I have a working firewall in the soekris-box with ipfw. What I want to do is redirect incoming on port 80 to 10.0.0.2. I have tried this in my /etc/natd.conf redirect_port tcp 10.0.0.2:80 80 In combination with an opening for incoming in the firewall for port 80 (any to any). I also opened for it in hosts.allow. I can see the website on my local lan and I can see it from the firewall, but not from outside. I use my cellphone to check if it's reachable (and that worked under OpenBSD and pf). In my rc.conf I have the natd_flags="-f /etc/natd.conf" after the firewall, I want the firewall early in the file before the ethernets are configured. I then tried to do the natd directly in my ipfw_rules (my ipfw rules file) with this natd -redirect_port tcp 10.0.0.2:80 80 which gave me this natd:instance default: aliasing address not given. The hand book says "The external IP address on the natd machine must be active and aliased to the external interface. Look at rc.conf (5) to do so." Well ifconfig_sis0_alias0="inet 10.0.0.2 netmask 255.255.255.255" would not make it (I have tried other netmasks as well). I have googled around and seen that others have had the same problem, but no solutions or suggestions that leads in the right direction. Someone must have done this before I assume? Or if someone have some ideas I will be very happy. /Regards from Sweden.